Shawn,
Thanks for the informative feedback below. I can
confirm that your reader #1 does work...sort of. I say sort of
because your unfortunate comment about PKCS#11 applications may not work
correctly seems to be the case with Firefox 2.0.0.9. Installing
the module causes the browser to crash on every startup unless the CAC is
present. Inserting the CAC and then starting Firefox allows the browser to
start but doesn't allow for use of the CAC, nor does the PKCS#11 module
actually recognize the card.
Next, I got excited based on your comments regarding
Identity Preferences in Keychain. I inserted my CAC and made my
E-mail certificate the preferred certificate for my OWA URL. Setting this
preference (or any of the certs on my CAC) leads to Keychain crashing. The only
way to open Keychain after setting the preference is to remove my CAC and then
delete the preference.
Any
further insight would be greatly appreciated since I'm in limbo right now with
neither solution working.
Dave
Just wanted to make everyone aware that Apple is aware of this and I am
looking into the issues many are having with certain Smart Card Readers.
Yes, It would first appear to be an issue with certain Smart Card Readers
and not a combination with the Smart Cards themselves, but various user
success/failure quickly proves this wrong. I am also working with the
reader manufacturers on identifying the problem.
Request
If anyone is willing to send me email (to: geddis [at] apple [dot]
com) directly stating the following which you can gather from the System
Profiler Report, it would be greatly appreciated.
Subject: Smart Card Reader
Feedback
--
Sample Info --
Working: NO
--System Info-- Model Name: MacBook Pro 15"
Model
Identifier: MacBookPro1,1 Processor Name:
Intel Core
Duo Processor Speed:
2.16
GHz
--Smart
Card Reader Info-- Version:
5.18
Manufacturer:
SCM Microsystems, Inc. Product ID:
0xe001 Vendor
ID:
0x04e6
--
Smart Card Info-- Manufacturer:
Axalto Card
Type: Access 64K Version:
v1
SCM
SCRX31
This has long been the reader used within DoD, largely because most were
purchased quite sometime ago. Be aware that the SCR331 is NOT a specific reader name, but
rather a "Family" Name. Hence, it is quite possible that folks
are using versions of the reader that may possibly fail. Also note that
many have the old ActivCard USBv2 reader which is simply a firmware modification
of the SCM SCR331 as well.
I have the following SCM SCR331 Reader working fine on my system, but note
the version (firmware), Product ID and Vendor ID of the units. Using
"System Profiler" in /Applications/Utilities Folder, you can select the
USB port and reader device in the list. If this particular reader is
listed under any other name, the problem begins with the Firmware.
Since the attachment would be stripped, I will recreate the contents here
in text for those that are working and those that are not:
Readers that
ARE working:
(Only
ones I had access to for immediate testing on Intel)
Reader
#1
System Profiler Name: "SCRx31 USB
Smart Card Reader"
Version:
5.18
Manufacturer: SCM Microsystems Inc.
Product ID: 0xe001
Vendor ID: 0x04e6
Reader
#2
System Profiler Name: "SCRx31 USB
Smart Card Reader"
Version: 5.25
Manufacturer: SCM Microsystems Inc.
Product ID: 0xe001
Vendor ID: 0x04e6
Reader
#3
System Profiler Name:
"Smart Card Reader USB"
Version: 1.01
Manufacturer: OMNIKEY AG
Product ID: 0x3021
Vendor ID: 0x076b
Reader
#4
System Profiler Name:
"Smart Card Reader USB"
Version: 3.02
Manufacturer: OMNIKEY AG
Product ID: 0x3021
Vendor ID: 0x076b
Readers
that ARE NOT working:
(Only
ones I had access to for immediate testing on Intel)
Reader
#1
System Profiler Name: "SCRx31 USB
Smart Card Reader"
Version: 2.03
Bus Power
(mA) 500
Speed: Up to 12 Mb/sec
Manufacturer: SCM Microsystems Inc.
Product ID: 0xe001
Serial
Number: <each
reader is unique>
Vendor ID: 0x04e6
System Profiler Name: "SCRx31 USB
Smart Card Reader"
Version: 4.13
Bus Power
(mA) 500
Speed: Up to 12 Mb/sec
Manufacturer: SCM Microsystems Inc.
Product ID: 0xe001
Serial
Number: <each
reader is unique>
Vendor ID: 0x04e6
System profiler: "ActivCard USB Reader
V2"
Version: 2.02
Bus Power
(mA) 500
Speed: Up to 12 Mb/sec
Manufacturer: ActivCard
Product ID: 0xe001
Serial
Number: <each
reader is unique>
Vendor ID: 0x09c3
_________
Due largely to the dissemination
of some incorrect user generated documentation, many have begun to confuse what
is needed and what is impacting the use of Smart Cards within their particular
environment and system configuration (including apps in use). Let me try
to clear much of this up quickly in an email message.
A. Apple
Architecture
The Apple Smart Card Services are NOT impacted by the
difference between Smart Card Manufacturers or by the capacity of the cards (32K
v. 64K), but ARE reliant on two distinct things:
Existence of
a supporting Tokend for the corresponding "Applet" on the Card.
"Tokend" modules
shipped with 10.5
CAC - Supports CAC &
GSC-IS compliant Smart Cards
BELPIC - Supports Belgian
National ID compliant Smart Cards
JPKI - Supports Japanese
PKI compliant Smart Cards
** NEW FOR 10.5
**
PIV - Supports PIV
compliant Smart Cards -
Existence of a recognized Smart Card
Reader
$
ls -al /usr/libexec/SmartCardServices/drivers/
drwxr-xr-x
3 root wheel 102 Oct 4 00:44 CC-PC-Card.bundle dr-xr-xr-x 3 root
wheel 102 Oct 4 00:44 CCIDClassDriver.bundle drwxr-xr-x 3
root wheel 102 Oct 4 00:44 SCR24XHndlr.bundle drwxr-xr-x 3 root
wheel 102 Oct 4 00:44 ifd-ASEIIIeUSB.bundle drwxr-xr-x 3
root wheel 102 Oct 4 00:44 ifdok_cm4040_macos-2.0.0.bundle
This would
cover
CC-PC-Card.bundle -- PC Card Readers -- CRYPTOCard
P-1
CCIDClassDriver.bundle -- USB Card Readers -- "CCID
Compliant"
ifd-ASEIIIeUSB.bundle -- USB Card Readers -- Athena
IIIe
SCR24XHndlr.bundle -- PC Card Readers -- SCM SCR24X
ifdok_cm4040_macos-2.0.0.bundle-- PC Card
Readers -- OMNIKey CardMan 4040
Any smart card compliant to any of the above specs, will appear in
the Keychain List after the system has identified the card and propagated
the contents up thru the Keychain architecture. This is, of course, if the
Smart Card Reader is supported and recognized already as well.
NO NEED TO...
(Common Myths)
1) Copy
Certificates from the Card to the User's Login Keychain
2) Run
"pcsctool" to add the ATR value -- it is not used by Apple
3) Make the
Smart Card keychain the default keychain
Selection of identities
Some have had problems in the past accessing DoD services (i.e. websites)
with the use of their DoD Smart Card. There is an unsupported method to
resolve this on 10.4.x and a built-in method to resolve this on 10.5.
Background on
problem
The DoD Smart
Cards have three identities (Certificate and corresponding Private Key):
- ID
- Email
Signing
- Email
Encryption
The unfortunate
fact is that the ID is not used, but has all of the same Key Usage as
the
Email Signing.
The Email Signing is being used for basically everything. For
example,
1) Login,
2) Email Signing, 3) VPN Access....
The catch-22 for
users was that the ID Certificate was silently selected by OS X and
delivered
for User
Authentication to network services (Web sites, VPN, etc.). The remote
servers did
not reject
things at the protocol level (i.e. SSL handshake) and hence OS X was unable
to
handle the
unexpected reply.
Servers/Services
that did fail at the protocol level, allowed Mac OS X to properly handle
and
propagate the
failure of User Auth up to the Application (i.e. Safari). Safari then
displayed
a list of
alternative Certificates that could also be used for the service being
requested.
Once a selection
was made, an "Identity Preference" was created in the user's keychain
ensuring that
all subsequent attempts to access that service (i.e. URL) would result in the
selection and
use of the proper certificate.
Method to resolve this
on 10.4.x
If you are still
on 10.4.x and are running into this scenario, I can provide you with an
unsupported
tool to manually
create the Identity Preference for this service and identity pair.
I would
discourage the
use of tools that modify or block access to objects on the Smart Card, since
this
will undoubtedly
cause you frustration with other services.
Method
to resolve this on 10.5.x
Keychain Access
on Mac OS X 10.5.x provides a built-in function to Create and Manage
Identity
Preferences. Select (Click) the appropriate keychain containing your
identity. Bring
up the
contextual menu
<ctrl>.
____________________________
B.
PKCS#11 Architecture
Some Applications do still exist on Mac OS X that access Smart Cards via
PKCS#11, but this is not the same as the Apple Smart Card Services noted above.
Apple does NOT provide any integration for PKCS#11 based applications and
does not guarantee any arbitration between PKCS#11 Applications and native Mac
OS X Applications leveraging the built-in Keychain Services (hence the
corresponding Tokend).
Requirements:
* Existence
of a PKCS#11 library used by these types of applications.
* Existence of
the corresponding ATR value in the corresponding bundle:
CAC
- commonAccessCard.bundle
GSC-IS
- GSCISPlugin.bundle
** ALL 64K DoD Cards would need to have their ATR value added to the
corresponding bundle above. Some Newer 32K DoD cards would need to as
well.
PKCS#11 Applications current used by some
on Mac OS X:
1) Any
Mozilla based applications (Mozilla, FireFox, Thunderbird, etc.)
2) Adobe
Acrobat 8
There is no guarantee that PKCS#11 Applications will work on any version of
the OS later than 10.3.X.
1) There is
no guarantee that PKCS#11 Applications will work on Mac OS X 10.4.x ...
without
contention with the built in Smart Card Services
2) There is
no guarantee that PKCS#11 Applications will work on Mac OS X 10.5.x
If the Smart Card in use is not supported by a tokend, it can be accessed
and utilized by PKCS#11 based applications without any conflict with Apple's
Smart Card Services.
If you are using PKCS#11 access from another application other than those
listed above, please let Shawn Geddis <geddis [at] apple [dot] com>
know.
Thank You for your patience with this right now.
- Shawn _____________________________________________________ Shawn
Geddis Security Consulting Engineer Apple
Enterprise
|